We’ve engineered Office to be secure by design and continually invest in enhancing its security capabilities. In the spirit of maintaining a high security bar in Office, we’re launching the Bug Bounty Program for Office Insider Builds on Windows.
The Office Bug Bounty Program complements our continuous internal engineering investments that include designing secure features through threat modeling, security in code reviews, security automation, and internal penetration testing.
The Microsoft Cloud and Online Services Bounty Program has helped us identify elusive vulnerabilities and provided a way to reward the individuals actively partnering with us to protect our customers. We want to continue incentivizing research around design and logic and reward deeper thought in important areas of Office.
Office Insider Builds give users early access to the latest Office capabilities and security innovation. By testing against these early builds, issues can potentially be found prior to production release. This helps improve quality and protect customers.
How it works
- Types of vulnerabilities awarded and their details are listed in the Microsoft Office Insider Builds on Windows Bounty Program Terms, including:
- Elevation of privilege via Office Protected View
- Macro execution by bypassing security policies to block macros
- Code execution by bypassing Outlook automatic attachment block policies
- The program duration is for three months from March 15 to June 15, 2017
- Bounty payout ranges during this period will be $6,000 to $15,000 USD
Call to action: send your vulnerabilities to firstname.lastname@example.org
As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.
We look forward to seeing you at Cansecwest 2017 on March 15th and sharing more about the program.
Tom Gallagher and Akila Srinivasan